Newbie with potential ECC protection
 

***ATTEMPT THE CHALLENGE BELOW*** SOLUTION IS COUPLE POSTS DOWN

I am a hobbyist of Reverse Engineering, for software and hardware. I am not a programmer by any means, so this may be a basic problem.
Took me about 12 hours to solve really digging in. This can be solved using human pattern recognition.

I have a small table of valid Device ID and serial numbers the challenge is to determine the function that makes them valid.
The Serial check function is being performed in the hardware of a standalone device. Therefore no RE using OllyDBG or WinDBG possible. Entirely mental exercise.


ID SN
1029679 8958024
1029720 8993161
1029978 9214267
1030639 8923744
1033030 8401831
1033109 8469534
1033659 8940884
1033767 9033440
1035843 9098572
1035899 9146564

So I came across another device and used the pattern that I noticed with the Differential of Device ID from the last valid number in the series multiplied by the prime number 857 Plus the valid Serial Number from the first device and I ended up with a valid serial number that worked!!

Now I just need to figure out how the original start point was arrived at.

My example was as follows
New Dev ID requiring licensing 1033123
Previous Dev ID: 1033109
Previous S/N: 8469534
Difference In Dev ID: 14
14 * 857 = 11998
Previous S/N Plus 11988 = 8481532 = Working code.

So I'm not sure what the scheme is here, I know there is a pattern, but I can't seem to find the actual calculation. I know that it may use part of the Software revision of the unit, as that is asked for when licensing is purchased.

In all of these cases the revision is 5.4.5

I have graphed the points I have so far with polynomial trendline to 6th order, but calculation gives R value of .9995 (Still too much error when dealing with 10,000,000 possible serial number)
Won't seem to let me add picture to show graph, but can be done in excel.

What more should I look for? Solution is partial and works, but the method to get to serial from scratch still goes unknown.

Your pattern seems not working for the first few pairs of SN?

Check the software might be a good idea.

I solved it.

*SPOILER ALERT* FOR THOSE WHO WISH TO TAKE A CRACK AT IT.






I broke the equation down to the factors that made sense and worked out the patterns from there. In Excel if A2 contained the DevID the serial number would equal



A complex problem broken down into patterns of numbers based on an input / output table of 10 original pairs. I'm feeling pretty darn good right now!

In general we take a white-box approach to reverse engineering. You took much more of a black-box or grey-box approach and this seems to becoming a very popular method in the cryptography field. Software trace comparison, software fault injections, etc. But there is no one approach best suited for every sample you find out there. You have to study it and come up with the fastest attack plan route. Be it inductive or deductive strategies

I appreciate your comments.
My math is good but not great. This was fairly easy to solve, only maybe 12 total hours. Good challenge though.